CVE-2017-5082 : Failure to take advantage of available mitigations in credit card autofill in Go

Failure to take advantage of available mitigations in credit card autofill in Google Chrome prior to 59.0.3071.92 for Android allowed a local attacker to take screen shots of credit card information via a crafted HTML page.

Published 2017-10-27 05:29:01

Updated 2018-01-05 02:31:44

Source Google Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2017-5082

Google » Chrome
Versions before (<) 59.0.3071.92
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
When used together with: Google » Android » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2017-5082

EPSS FAQ

0.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 32 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-5082

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-5082

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-5082

http://www.securityfocus.com/bid/98861

Google Chrome Prior to 59.0.3071.86 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop.html

Chrome Releases: Stable Channel Update for Desktop
Release Notes;Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1038622

Google Chrome Multiple Flaws Let Remote Users Spoof URLs, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://crbug.com/721579

721579 - Security: FLAG_SECURE not used on Android for credit cards pre-fills - chromium - Monorail
Exploit;Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1399

RHSA-2017:1399 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://security.gentoo.org/glsa/201706-20

Chromium: Multiple vulnerabilities (GLSA 201706-20) — Gentoo security
Third Party Advisory;VDB Entry

CVEs referencing this url
https://wwws.nightwatchcybersecurity.com/2017/07/27/chrome-for-android-didnt-use-flag_secure-for-credit-card-prefill-settings-cve-2017-5082/

Chrome for Android Didn’t Use FLAG_SECURE for Credit Card Prefill Settings [CVE-2017-5082] | Nightwatch Cybersecurity
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2017-5082

Products affected by CVE-2017-5082

Exploit prediction scoring system (EPSS) score for CVE-2017-5082

CVSS scores for CVE-2017-5082

CWE ids for CVE-2017-5082

References for CVE-2017-5082